Today is...
Tuesday, June 19, 2018
Welcome to Control.com, the global online
community of automation professionals.
Featured Video...
Featured Video
EtherCAT with CTC’s master lets your multivendor network play well together...
Our Advertisers
Help keep our servers running...
Patronize our advertisers!
Visit our Post Archive
Virus Infection via serial Modbus
Is it possible for an infected powermeter being the Modbus slave to infect its master via a serial connection?
By Rob Burghard on 2 June, 2018 - 4:35 am

Is it possible for an infected powermeter being the Modbus slave to infect its master via a serial connection? Assume that the powermeter was pre-infected by a PC when it was programmed via a Modbus over TCP/IP connection. Then is was installed in the plant en connected to a master via the serial bus.

1 out of 1 members thought this post was helpful...

With all bus connections there is always a possibility one device infects an other, but in this case i believe the risk is as good as impossible.

Power meters in general do have a microcontroller, but they are not PC's with operating systems vulnerable to viruses.

Modbus is a master slave protocol, so the master has to request certain registers, the slave responds and then the master will write the received data in dedicated registers. Even tough Modbus can be used to read and write bytes of code it is generally used to exchange bytes of data.

By Rob Burghard on 2 June, 2018 - 12:26 pm

Thank you. Perhaps my question wasn't clear. Let's say this powermeter has an infected OS. Can the virus then be transferred over the serial RS485 bus to the master?

If you suspect an infected powermeter transfers a virus to your PC over the serial line using Modbus, I think you have to fire your programmer or use software on your PC from a reliable supplier. If you are really in control over the master communication on the PC the risk is not existing.

Assuming you are using third party software on the PC to communicate with the power meter, this software will use easier ways to infect your PC instead of loading this code from the powermeter.

By Rob Burghard on 2 June, 2018 - 5:33 pm

Thank you. Can we conclude then in general that it is impossible for a Modbus master to get a virus via a SERIAL line from an infected slave?

By Luca Gallina on 5 June, 2018 - 7:11 pm
1 out of 1 members thought this post was helpful...

trying to shed some light:

1. a Modbus Master polls for DATA.

2. the Modbus Slave (regardless if infected or not) will reply with DATA

3. the Modbus Master will receive the DATA and will store it within its DATA memory (not program memory).

All that said, an improbable infected power meter will just send wrong DATA values, not code nor instructions.
I would say that there are no "virus" that can harm your Master on a serial line.

It isn't that simple. Depending heavily on what programming language, processor, OS, and libraries are involved, malformed data can certainly be used as an attack vector.

For example, passing an address out of range in a write register command could easily attack a modbus driver running on a 16-bit microcontroller--if the developer is an idiot and didn't check the address against the valid range. I've seen plenty of that kind of vulnerability in older devices though.

Even on a PC based Modbus master you can't rule out an attach without actually auditing the code for vulnerabilities--which is certainly done for many devices, but not all (good vendors use static code analysis, code reviews, and independent security audits). Buffer overruns are the usual culprit, or attacks on specific logic bugs in the processing of the modbus frame.

All that said, we're taking possible here, not likely. There has to both a vulnerability and a determined attacker. We're talking stuxnet level APTs here, where the modbus link is just one of hundreds of vectors the attacker is evaluating for a particular target. They'll use it if they can, move on to other components of the system if not.

2 out of 2 members thought this post was helpful...

Is this a hypothetical question? If you've got an infected powermeter I'd love to know more details.

There's a prior discussion on this subject already (use search), but it boils down to whether you're talking about a general threat or specific threat. No general malware is going to be able to jump across a modbus link, but there is a chance that an attack designed specifically for a particular Modbus master could do it--if there is a nasty bug or two in its software, and you've got a motivated attacker that knows your system well.

By Rob Burghard on 10 June, 2018 - 1:19 pm

Thank you!

The question is a very fundamental but real one: Can an infected Modbus slave infect its master also via a serial connection? I know that via an IP-connection it's possible.

By Fred Loveless on 6 June, 2018 - 10:57 am
1 out of 1 members thought this post was helpful...

It is possible but highly improbably that a virus could be passed up to the PC from the slave. The master would have to be poorly written and allow it to process malformed packets from the slave that could over write protected memory areas allowing the virus to then propagate on the PC.

The more likely result of an infected meter would be incorrect data. Mostly effecting any process loops in the meter or causing the master to take actions that are detrimental to the process monitored by the meter.

You are more susceptible to having the packet hijacked and manipulated on its way from the meter to the master especially if you are going through a gateway.

These types of attacks require an inside knowledge of the meters and the process that they are used in.